Heads up – there’s a new patch arrived today for those of you who run OpenSSL versions 1.0.2c, 1.0.2b, 1.0.1n and 1.0.1o that were released in June 2015 or later, so if you use any of these then there are steps you need to take to protect yourself.
OpenSSL is a popular library offering encrypted HTTPS and other secure services for websites, and the patch is for a vulnerability that OpenSSL has classified as a “single security defect classified as ‘high’ severity”. Basically, something you need to sort out, sharpish.
OpenSSL released a Security Advisory on the vuln today, calling it an ‘Alternative chains certificate forgery (CVE-2015-1793)’ and describing it as: “An error in the implementation of this logic can mean that an attacker could cause certain checks on untrusted certificates to be bypassed, such as the CA flag, enabling them to use a valid leaf certificate to act as a CA and “issue” an invalid certificate.” In English, they could fool the security process into thinking something was safe to approve, when it isn’t.
They go on to say: “This issue will impact any application that verifies certificates includingSSL/TLS/DTLS clients and SSL/TLS/DTLS servers using client authentication”, and offer the following advice: OpenSSL 1.0.2b/1.0.2c users should upgrade to 1.0.2dOpenSSL 1.0.1n/1.0.1o users should upgrade to 1.0.1p.
The bug doesn’t affect 1.0.0 or 0.9.8 series so if you use either of those then you’re all good. It is also not present in any version of OpenSSL shipped in any Red Hat, Centos or Ubuntu products, so you’re also A-OK if you’re using these.
However, it’s always important to keep an eye out for any new vulnerabilities that may affect you so that you ensure you’re not missing a trick.